Understanding Identification and Authentication Failures
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
2 hours 16 minutes
Difficulty
Intermediate
CEU/CPE
3
Video Transcription
00:00
>> Understanding identification
00:00
>> and authentication failures.
00:00
>> Our learning objectives are to
00:00
describe the various types of
00:00
identification and authentication failures
00:00
with a focus on broken authentication flaws.
00:00
Remember this category used
00:00
>> to be broken authentication.
00:00
>> Demonstrate how to test for various types of
00:00
identification and authentication failures
00:00
and then explain how to remediate
00:00
identification and authentication
00:00
failure vulnerabilities.
00:00
Now, what are these types
00:00
of broken authentication issues?
00:00
Usually they focus on things like passwords,
00:00
specifically password vulnerabilities or
00:00
password attacks, I should say,
00:00
are things like credential stuffing,
00:00
brute force attacks, default passwords,
00:00
weak password recovery process,
00:00
and issues with multi-factor authentication.
00:00
Yes, I've seen sometimes in bug bounty where someone
00:00
can bypass multi-factor authentication,
00:00
and if they have somebody's username and password,
00:00
they can then bypass the multifactor,
00:00
it could be like your phone number or
00:00
something else that you have to authenticate
00:00
to or a token.
00:00
If there's a way to disable that or bypass that,
00:00
then you don't need that second thing for multi-factor,
00:00
multi meaning more than one,
00:00
usually it's dual factor authentication.
00:00
You can bypass that
00:00
simply by using a username and password.
00:00
We're focusing on authenticating into an application,
00:00
getting access to a user account or an admin account,
00:00
which is even better, and these are
00:00
the different attacks that we're going to focus on.
00:00
Let's look at credential stuffing.
00:00
What's credential stuffing?
00:00
When I worked in Cyber Threat Intelligence,
00:00
I saw this a lot in criminal marketplaces
00:00
where people would sell combos,
00:00
which was a basically a combination
00:00
of somebody's username and password.
00:00
I know this is shocking to you,
00:00
but people typically reuse a username
00:00
and password across multiple accounts.
00:00
But that's to say that
00:00
using things like password management tools,
00:00
is a pretty good idea,
00:00
always having a different password for
00:00
a different site is great,
00:00
but what attackers will hope is that these lists,
00:00
usually list of passwords as well,
00:00
like if you look at rockyou.txt in Kali,
00:00
that's a huge list from breach sites.
00:00
We can try to then guess or stuff,
00:00
I guess you could say, these combos
00:00
across multiple platforms.
00:00
If I know your username and password from Facebook,
00:00
maybe you use that on Instagram,
00:00
maybe you use that at your work,
00:00
which of course is not best practice at all.
00:00
You should always be using
00:00
different passwords across different platforms,
00:00
and even different usernames if possible.
00:00
What are brute-force attacks?
00:00
We don't even have a combo.
00:00
We don't even have somebody's previous username
00:00
and password that they've used.
00:00
This is just like it says a brute-force attacks.
00:00
You'll see here, I can guess that I'm using hydra here,
00:00
little l, so I'm using it against the admin user,
00:00
I'm not using it against a word list.
00:00
Sometimes you can use a word list,
00:00
like using admin or root or
00:00
typical admin usernames and then big P here,
00:00
tag P for password,
00:00
I have a password list here I'm using
00:00
again this IP address 192.168.1.231,
00:00
the FTP service and
00:00
I find that I get lucky with this list of
00:00
passwords and I find that admin is
00:00
using a password of 1, 2, 3.
00:00
I guess you could say it's spray and pray.
00:00
Usually it's against a known login.
00:00
I know there's an administrator on a Windows box,
00:00
I know SMB is there.
00:00
I can try a long list of passwords and try to
00:00
brute force that service
00:00
and hope that I don't get locked out.
00:00
Password spraying.
00:00
This is pretty effective.
00:00
This is using the same password,
00:00
a weak password across multiple accounts.
00:00
If I'm looking at an enterprise,
00:00
if I have some great open source intelligence
00:00
and I know that they use a particular password
00:00
for password resets,
00:00
I could then use that across multiple accounts.
00:00
This is actually knowing multiple accounts.
00:00
This is why it's bad to be able to enumerate somebody
00:00
a valid username from an invalid username
00:00
when trying to authenticate into an application.
00:00
What I would do is take
00:00
a long list of all the users I know,
00:00
try this default or I should say,
00:00
this password that I know that they typically use,
00:00
Summer2021, I guess it's past Summer2021 now.
00:00
But this is proven to be pretty effective
00:00
in actually authenticating into somebody's account.
00:00
Using a default password,
00:00
this is really effective.
00:00
I can't tell you how many times
00:00
that I've locked out and whatever,
00:00
usually it's an IoT device,
00:00
a router or something like that,
00:00
still has its default username and password,
00:00
things like admin admin or admin password.
00:00
People rarely change these things.
00:00
If you have a router,
00:00
sometimes routers come shipped
00:00
with default username and password,
00:00
really depends what service you're
00:00
using or router you have,
00:00
but as soon as you get an IoT device,
00:00
it's good to then change the default password.
00:00
A lot of times I can simply look in the paperwork in
00:00
the setup manual for a router or an IoT device,
00:00
like a Raspberry Pi and I'll be able to figure
00:00
out what the default password is and be able to log in.
00:00
This is very effective and you'll see Mirai,
00:00
if you've heard of Mirai,
00:00
it was a botnet back in 2016 that only use 60
00:00
of the commonly most
00:00
used default username and passwords,
00:00
and it was able to infect over 60,000 devices.
00:00
That's a lot. That's a lot of people not
00:00
changing the default username and password.
00:00
Also in addition to passwords,
00:00
we're looking at sessions,
00:00
we have some session flaws.
00:00
Like if you expose the session ID,
00:00
if it's in the URL,
00:00
if it's cached in your browser, if you walk away,
00:00
you're at a hotel,
00:00
that cached information is there and
00:00
someone can use your session ID to login as you.
00:00
A session's ID is not rotated,
00:00
so if I know your session ID and it's not rotated,
00:00
I can login as you again.
00:00
Your session is not invalidated, so it persists.
00:00
This is something like, again,
00:00
if I know your session ID and it's not invalidated,
00:00
it's always valid, even when you log out,
00:00
I can then log back in as you,
00:00
so another issue, CWE-384 here.
00:00
When you're testing for these,
00:00
the web security testing guide is always
00:00
a good thing to go to.
00:00
Here are some of them testing for default credentials,
00:00
testing for credentials transported
00:00
over an encrypted channel,
00:00
testing for weak password policy, this is big too.
00:00
If a default password policy,
00:00
if there isn't a weak password policy,
00:00
if I can simply use one character or
00:00
two characters or use the most
00:00
commonly guessed or commonly
00:00
used passwords, this is bad.
00:00
A lot of enterprises will have
00:00
password policies where you can't
00:00
use the most commonly used passwords.
00:00
If you have the Chrome browser,
00:00
if you use a commonly used password
00:00
or a password that's been found in breaches,
00:00
it will notify you of that.
00:00
This is a big issue as well.
00:00
Testing for weak password change or reset functionality,
00:00
when you go to reset a password,
00:00
of course, that can be a big weak point as well.
00:00
If you go to reset your password and it's easily guessed,
00:00
or there's some way that an attacker
00:00
can redirect the email to
00:00
their own inbox to change
00:00
your password and then get access to your account,
00:00
that is an issue as well.
00:00
How do we prevent this?
00:00
I talked about multi-factor authentication.
00:00
If you're using this right,
00:00
this is a huge mitigation if
00:00
an attacker can't bypass multi-factor authentication.
00:00
If when I log in, it says,
00:00
we sent a code to an app on your phone,
00:00
or we've sent a text message to you,
00:00
that is all good for multi-factor authentication.
00:00
Again, you want to change default credentials,
00:00
you want to check for weak passwords,
00:00
a lot of enterprises already
00:00
do this, which is really great.
00:00
You want to have generic messages for logins,
00:00
like I said, with password spraying,
00:00
if I can attack
00:00
your web application and get a long list of users,
00:00
I can then use that Summer2020 or
00:00
whatever password that may be that I
00:00
know across multiple accounts.
00:00
Account lockouts, so to prevent brute-force attacks,
00:00
so after three incorrect password attempts,
00:00
I'm locked out of the account, of course,
00:00
that can cause a denial of service for legitimate users,
00:00
so weigh the pros and cons of that.
00:00
Using server-side session management
00:00
instead of client side,
00:00
where I can change things on the
00:00
client side and the browser,
00:00
using the server side to
00:00
deal with session management is the way to go.
00:00
In summary, we've described
00:00
identification authentication failures.
00:00
I went over the web security testing guide,
00:00
I'm going to go over a little bit more in the demo next,
00:00
and then we've looked at ways to remediate and prevent
00:00
broken authentication issues or
00:00
identification and authentication failures.
Up Next
Scenario: The Colonial Pipeline Hack
10m
Lab: Identification and Authentication Failures
45m
Instructed By
